_('Allowed with manual account activation')),

            ('hg.register.auto_activate',

                _('Allowed with automatic account activation')), ]

        c.extern_activate_choices = [

            ('hg.extern_activate.manual', _('Manual activation of external account')),

            ('hg.extern_activate.auto', _('Automatic activation of external account')),

        ]

        c.repo_create_choices = [('hg.create.none', _('Disabled')),

                                 ('hg.create.repository', _('Enabled'))]

        c.user_group_create_choices = [('hg.usergroup.create.false', _('Disabled')),

                                       ('hg.usergroup.create.true', _('Enabled'))]

        c.fork_choices = [('hg.fork.none', _('Disabled')),

                          ('hg.fork.repository', _('Enabled'))]

    def permission_globals(self):

        c.active = 'globals'

        self.__load_data()

        if request.POST:

            _form = DefaultPermissionsForm(

                [x[0] for x in c.repo_perms_choices],

                [x[0] for x in c.group_perms_choices],

                [x[0] for x in c.user_group_perms_choices],

                [x[0] for x in c.repo_create_choices],

                [x[0] for x in c.repo_group_create_choices],

                [x[0] for x in c.user_group_create_choices],

                [x[0] for x in c.fork_choices],

                [x[0] for x in c.register_choices],

                [x[0] for x in c.extern_activate_choices])()

            try:

                form_result = _form.to_python(dict(request.POST))

                form_result.update({'perm_user_name': 'default'})

                PermissionModel().update(form_result)

                Session().commit()

                h.flash(_('Global permissions updated successfully'),

        defaults = {'anonymous': c.user.active}

        for p in c.user.user_perms:

            if p.permission.permission_name.startswith('repository.'):

                defaults['default_repo_perm'] = p.permission.permission_name

            if p.permission.permission_name.startswith('group.'):

                defaults['default_group_perm'] = p.permission.permission_name

            if p.permission.permission_name.startswith('usergroup.'):

                defaults['default_user_group_perm'] = p.permission.permission_name

            elif p.permission.permission_name.startswith('hg.create.'):

                defaults['default_repo_create'] = p.permission.permission_name

            if p.permission.permission_name.startswith('hg.usergroup.'):

                defaults['default_user_group_create'] = p.permission.permission_name

            if p.permission.permission_name.startswith('hg.register.'):

                defaults['default_register'] = p.permission.permission_name

            if p.permission.permission_name.startswith('hg.extern_activate.'):

                defaults['default_extern_activate'] = p.permission.permission_name

import celery.result

import formencode

from formencode import htmlfill

from tg import request

from tg import tmpl_context as c

from tg.i18n import ugettext as _

from webob.exc import HTTPForbidden, HTTPFound, HTTPInternalServerError, HTTPNotFound

import kallithea

from kallithea.config.routing import url

from kallithea.lib import helpers as h

from kallithea.lib.base import BaseRepoController, jsonify, render

from kallithea.lib.exceptions import AttachedForksError

from kallithea.lib.utils import action_logger

from kallithea.lib.utils2 import safe_int

from kallithea.lib.vcs import RepositoryError

from kallithea.model.db import RepoGroup, Repository, RepositoryField, Setting, UserFollowing

from kallithea.model.forms import RepoFieldForm, RepoForm, RepoPermsForm

from kallithea.model.meta import Session

from kallithea.model.repo import RepoModel

from kallithea.model.scm import AvailableRepoGroupChoices, RepoList, ScmModel

        super(ReposController, self)._before(*args, **kwargs)

    def _load_repo(self):

        repo_obj = c.db_repo

        if repo_obj is None:

            h.not_mapped_error(c.repo_name)

            raise HTTPFound(location=url('repos'))

        return repo_obj

    def __load_defaults(self, repo=None):

        extras = [] if repo is None else [repo.group]

        c.landing_revs_choices, c.landing_revs = ScmModel().get_repo_landing_revs(repo)

    def __load_data(self):

        """

        Load defaults settings for edit, and update

        """

        c.repo_info = self._load_repo()

        self.__load_defaults(c.repo_info)

        defaults = RepoModel()._get_defaults(c.repo_name)

        defaults['clone_uri'] = c.repo_info.clone_uri_hidden # don't show password

import traceback

import formencode

from formencode import htmlfill

from tg import request

from tg import tmpl_context as c

from tg.i18n import ugettext as _

from webob.exc import HTTPFound

import kallithea

import kallithea.lib.helpers as h

from kallithea.config.routing import url

from kallithea.lib.base import BaseRepoController, render

from kallithea.lib.page import Page

from kallithea.lib.utils2 import safe_int

from kallithea.model.db import Repository, Ui, UserFollowing

from kallithea.model.forms import RepoForkForm

from kallithea.model.repo import RepoModel

from kallithea.model.scm import AvailableRepoGroupChoices, ScmModel

log = logging.getLogger(__name__)

class ForksController(BaseRepoController):

    def __load_defaults(self):

        c.landing_revs_choices, c.landing_revs = ScmModel().get_repo_landing_revs()

        c.can_update = Ui.get_by_key('hooks', Ui.HOOK_UPDATE).ui_active

    def __load_data(self):

        """

        Load defaults settings for edit, and update

        """

        self.__load_defaults()

        c.repo_info = c.db_repo

    # fetch default permissions

    #======================================================================

    default_repo_perms = Permission.get_default_perms(kallithea.DEFAULT_USER_ID)

    default_repo_groups_perms = Permission.get_default_group_perms(kallithea.DEFAULT_USER_ID)

    default_user_group_perms = Permission.get_default_user_group_perms(kallithea.DEFAULT_USER_ID)

    if user_is_admin:

        #==================================================================

        # admin users have all rights;

        # based on default permissions, just set everything to admin

        #==================================================================

        permissions[GLOBAL].add('hg.admin')

        # repositories

        for perm in default_repo_perms:

            r_k = perm.repository.repo_name

            p = 'repository.admin'

            permissions[RK][r_k] = p

        # repository groups

        for perm in default_repo_groups_perms:

            rg_k = perm.group.group_name

            p = 'group.admin'

            permissions[GK][rg_k] = p

            permissions[GLOBAL].add(perm.permission.permission_name)

    # user specific global permissions

    user_perms = Session().query(UserToPerm) \

            .options(joinedload(UserToPerm.permission)) \

            .filter(UserToPerm.user_id == user_id).all()

    for perm in user_perms:

        permissions[GLOBAL].add(perm.permission.permission_name)

    # for each kind of global permissions, only keep the one with heighest weight

    kind_max_perm = {}

        kind = perm.rsplit('.', 1)[0]

        kind_max_perm[kind] = perm

    permissions[GLOBAL] = set(kind_max_perm.values())

    ## END GLOBAL PERMISSIONS

    #======================================================================

    # !! PERMISSIONS FOR REPOSITORIES !!

    #======================================================================

    #======================================================================

    # check if user is part of user groups for this repository and

    # fill in his permission from it.

    #======================================================================

        ('usergroup.none', _('Default user has no access to new user groups')),

        ('usergroup.read', _('Default user has read access to new user groups')),

        ('usergroup.write', _('Default user has write access to new user groups')),

        ('usergroup.admin', _('Default user has admin access to new user groups')),

        ('hg.usergroup.create.false', _('Only admins can create user groups')),

        ('hg.usergroup.create.true', _('Non-admins can create user groups')),

        ('hg.create.none', _('Only admins can create top level repositories')),

        ('hg.create.repository', _('Non-admins can create top level repositories')),

        ('hg.fork.none', _('Only admins can fork repositories')),

        ('hg.fork.repository', _('Non-admins can fork repositories')),

        ('hg.register.none', _('Registration disabled')),

        ('hg.register.manual_activate', _('User registration with manual account activation')),

        ('hg.register.auto_activate', _('User registration with automatic account activation')),

        ('hg.extern_activate.manual', _('Manual activation of external account')),

        ('hg.extern_activate.auto', _('Automatic activation of external account')),

    )

    # definition of system default permissions for DEFAULT user

    DEFAULT_USER_PERMISSIONS = (

        'repository.read',

        'group.read',

        'usergroup.read',

        'hg.create.repository',

        'hg.fork.repository',

        'hg.register.manual_activate',

        'hg.extern_activate.auto',

    )

    # defines which permissions are more important higher the more important

    # Weight defines which permissions are more important.

    # The higher number the more important.

    PERM_WEIGHTS = {

        'repository.none': 0,

        'repository.read': 1,

        'repository.write': 3,

        'usergroup.write': 3,

        'usergroup.admin': 4,

        'hg.usergroup.create.false': 0,

        'hg.usergroup.create.true': 1,

        'hg.fork.none': 0,

        'hg.fork.repository': 1,

        'hg.create.none': 0,

        'hg.create.repository': 1,

        'hg.register.none': 0,

        'hg.register.manual_activate': 1,

        'hg.register.auto_activate': 2,

        'hg.extern_activate.manual': 0,

        'hg.extern_activate.auto': 1,

    }

    permission_id = Column(Integer(), primary_key=True)

    permission_name = Column(String(255), nullable=False)

    def __repr__(self):

        hooks_changegroup_update = v.StringBoolean(if_missing=False)

        hooks_changegroup_repo_size = v.StringBoolean(if_missing=False)

        extensions_largefiles = v.StringBoolean(if_missing=False)

        extensions_hgsubversion = v.StringBoolean(if_missing=False)

        extensions_hggit = v.StringBoolean(if_missing=False)

    return _ApplicationUiSettingsForm

def DefaultPermissionsForm(repo_perms_choices, group_perms_choices,

                           user_group_perms_choices, create_choices,

                           user_group_create_choices, fork_choices,

                           register_choices, extern_activate_choices):

    class _DefaultPermissionsForm(formencode.Schema):

        allow_extra_fields = True

        filter_extra_fields = True

        overwrite_default_repo = v.StringBoolean(if_missing=False)

        overwrite_default_group = v.StringBoolean(if_missing=False)

        overwrite_default_user_group = v.StringBoolean(if_missing=False)

        anonymous = v.StringBoolean(if_missing=False)

        default_repo_perm = v.OneOf(repo_perms_choices)

        default_group_perm = v.OneOf(group_perms_choices)

        default_user_group_perm = v.OneOf(user_group_perms_choices)

        default_repo_create = v.OneOf(create_choices)

        default_user_group_create = v.OneOf(user_group_create_choices)

        default_fork = v.OneOf(fork_choices)

        default_register = v.OneOf(register_choices)

        default_extern_activate = v.OneOf(extern_activate_choices)

    return _DefaultPermissionsForm

def CustomDefaultPermissionsForm():

    class _CustomDefaultPermissionsForm(formencode.Schema):

        filter_extra_fields = True

        allow_extra_fields = True

            # it will fix even if we define more permissions or permissions

            # are somehow missing

            u2p = UserToPerm.query() \

                .filter(UserToPerm.user == perm_user) \

                .all()

            for p in u2p:

                Session().delete(p)

            # create fresh set of permissions

            for def_perm_key in ['default_repo_perm',

                                 'default_group_perm',

                                 'default_user_group_perm',

                                 'default_repo_create',

                                 'default_user_group_create',

                                 'default_fork',

                                 'default_register',

                                 'default_extern_activate']:

                p = _make_new(perm_user, form_result[def_perm_key])

                Session().add(p)

            # stage 3 update all default permissions for repos if checked

            if form_result['overwrite_default_repo']:

                _def_name = form_result['default_repo_perm'].split('repository.')[-1]

                _def = Permission.get_by_key('repository.' + _def_name)

                # repos

        def _convert_to_python(self, value, state):

            # root location

            if value == -1:

                return None

            return value

        def _validate_python(self, value, state):

            gr = RepoGroup.get(value)

            gr_name = gr.group_name if gr is not None else None # None means ROOT location

            # create repositories with write permission on group is set to true

            group_admin = HasRepoGroupPermissionLevel('admin')(gr_name,

                                            'can write into group validator')

            group_write = HasRepoGroupPermissionLevel('write')(gr_name,

                                            'can write into group validator')

            can_create_repos = HasPermissionAny('hg.admin', 'hg.create.repository')

            gid = (old_data['repo_group'].get('group_id')

                   if (old_data and 'repo_group' in old_data) else None)

            value_changed = gid != value

            new = not old_data

            # do check if we changed the value, there's a case that someone got

            # revoked write permissions to a repository, he still created, we

            # don't need to check permission if he didn't change the value of

            # groups in form box

            if value_changed or new:

                # parent group need to be existing

                if gr and forbidden:

                    <span class="help-block">${_('Permissions for the Default user on new user groups.')}</span>

                </div>

            </div>

            <div class="form-group">

                <label class="control-label" for="default_repo_create">${_('Top level repository creation')}:</label>

                <div>

                    ${h.select('default_repo_create','',c.repo_create_choices,class_='form-control')}

                    <span class="help-block">${_('Enable this to allow non-admins to create repositories at the top level.')}</span>

                    <span class="help-block">${_('Note: This will also give all users API access to create repositories everywhere. That might change in future versions.')}</span>

                </div>

            </div>

            <div class="form-group">

                <label class="control-label" for="default_user_group_create">${_('User group creation')}:</label>

                <div>

                    ${h.select('default_user_group_create','',c.user_group_create_choices,class_='form-control')}

                    <span class="help-block">${_('Enable this to allow non-admins to create user groups.')}</span>

                </div>

            </div>

            <div class="form-group">

                <label class="control-label" for="default_fork">${_('Repository forking')}:</label>

                <div>

                    ${h.select('default_fork','',c.fork_choices,class_='form-control')}

                    <span class="help-block">${_('Enable this to allow non-admins to fork repositories.')}</span>

                </div>

                        ${h.link_to(group.name, url('repos_group_home', group_name=group.group_name))}

                        »

                    %endfor

                    ${c.group.name}

                %endif

            </div>

            %if request.authuser.username != 'default':

              <div class="pull-right">

                <%

                    gr_name = c.group.group_name if c.group else None

                    # create repositories with write permission on group is set to true

                    group_admin = h.HasRepoGroupPermissionLevel('admin')(gr_name, 'can write into group index page')

                    group_write = h.HasRepoGroupPermissionLevel('write')(gr_name, 'can write into group index page')

                %>

                  %if c.group:

                        <a href="${h.url('new_repo',parent_group=c.group.group_id)}" class="btn btn-default btn-xs"><i class="icon-plus"></i>${_('Add Repository')}</a>

                        %if h.HasPermissionAny('hg.admin')() or h.HasRepoGroupPermissionLevel('admin')(c.group.group_name):

                            <a href="${h.url('new_repos_group', parent_group=c.group.group_id)}" class="btn btn-default btn-xs"><i class="icon-plus"></i>${_('Add Repository Group')}</a>

                        %endif

                  %else:

                    <a href="${h.url('new_repo')}" class="btn btn-default btn-xs"><i class="icon-plus"></i>${_('Add Repository')}</a>

                    %if h.HasPermissionAny('hg.admin')():

                        <a href="${h.url('new_repos_group')}" class="btn btn-default btn-xs"><i class="icon-plus"></i>${_('Add Repository Group')}</a>

                    %endif

                  %endif

                %endif

        usr = 'default'

        user_model.revoke_perm(usr, 'hg.create.none')

        user_model.grant_perm(usr, 'hg.create.repository')

        user_model.revoke_perm(usr, 'hg.fork.none')

        user_model.grant_perm(usr, 'hg.fork.repository')

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

        # this user will have inherited permissions from default user

        assert u1_auth.permissions['global'] == set(['hg.create.repository', 'hg.fork.repository',

                              'hg.register.manual_activate',

                              'hg.extern_activate.auto',

                              'repository.read', 'group.read',

    def test_inherit_sad_permissions_from_default_user(self):

        user_model = UserModel()

        # disable fork and create on default user

        usr = 'default'

        user_model.revoke_perm(usr, 'hg.create.repository')

        user_model.grant_perm(usr, 'hg.create.none')

        user_model.revoke_perm(usr, 'hg.fork.repository')

        user_model.grant_perm(usr, 'hg.fork.none')

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

        # this user will have inherited permissions from default user

        assert u1_auth.permissions['global'] == set(['hg.create.none', 'hg.fork.none',

                              'hg.register.manual_activate',

                              'hg.extern_activate.auto',

                              'repository.read', 'group.read',

    def test_inherit_more_permissions_from_default_user(self):

        user_model = UserModel()

        # enable fork and create on default user

        usr = 'default'

        user_model.revoke_perm(usr, 'hg.create.none')

        user_model.grant_perm(usr, 'hg.create.repository')

        user_model.revoke_perm(usr, 'hg.fork.none')

        user_model.grant_perm(usr, 'hg.fork.repository')

        # disable global perms on specific user

        user_model.revoke_perm(self.u1, 'hg.create.repository')

        user_model.revoke_perm(self.u1, 'hg.fork.repository')

        user_model.grant_perm(self.u1, 'hg.fork.none')

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

        # this user will have inherited more permissions from default user

        assert u1_auth.permissions['global'] == set([

                              'hg.create.repository',

                              'hg.fork.repository',

                              'hg.register.manual_activate',

                              'hg.extern_activate.auto',

                              'repository.read', 'group.read',

    def test_inherit_less_permissions_from_default_user(self):

        user_model = UserModel()

        # disable fork and create on default user

        usr = 'default'

        user_model.revoke_perm(usr, 'hg.create.repository')

        user_model.grant_perm(usr, 'hg.create.none')

        user_model.revoke_perm(usr, 'hg.fork.repository')

        user_model.grant_perm(usr, 'hg.fork.none')

        # enable global perms on specific user

        user_model.revoke_perm(self.u1, 'hg.create.none')

        user_model.revoke_perm(self.u1, 'hg.fork.none')

        user_model.grant_perm(self.u1, 'hg.fork.repository')

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

        # this user will have inherited less permissions from default user

        assert u1_auth.permissions['global'] == set([

                              'hg.create.repository',

                              'hg.fork.repository',

                              'hg.register.manual_activate',

                              'hg.extern_activate.auto',

                              'repository.read', 'group.read',

    def test_inactive_user_group_does_not_affect_global_permissions(self):

        # Add user to inactive user group, set specific permissions on user

        # group and and verify it really is inactive.

        self.ug1 = fixture.create_user_group('G1')

        user_group_model = UserGroupModel()

        user_group_model.add_user_to_group(self.ug1, self.u1)

        user_group_model.update(self.ug1, {'users_group_active': False})

        # enable fork and create on user group

        user_group_model.revoke_perm(self.ug1, perm='hg.create.none')

        user_group_model.grant_perm(self.ug1, perm='hg.create.repository')

        user_model.grant_perm(usr, 'hg.create.none')

        user_model.revoke_perm(usr, 'hg.fork.repository')

        user_model.grant_perm(usr, 'hg.fork.none')

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

        assert u1_auth.permissions['global'] == set(['hg.create.none', 'hg.fork.none',

                              'hg.register.manual_activate',

                              'hg.extern_activate.auto',

                              'repository.read', 'group.read',

                              'usergroup.read',

    def test_inactive_user_group_does_not_affect_global_permissions_inverse(self):

        # Add user to inactive user group, set specific permissions on user

        # group and and verify it really is inactive.

        self.ug1 = fixture.create_user_group('G1')

        user_group_model = UserGroupModel()

        user_group_model.add_user_to_group(self.ug1, self.u1)

        user_group_model.update(self.ug1, {'users_group_active': False})

        # disable fork and create on user group

        user_group_model.revoke_perm(self.ug1, perm='hg.create.repository')

        user_group_model.grant_perm(self.ug1, perm='hg.create.none')

        user_model.grant_perm(usr, 'hg.create.repository')

        user_model.revoke_perm(usr, 'hg.fork.none')

        user_model.grant_perm(usr, 'hg.fork.repository')

        Session().commit()

        u1_auth = AuthUser(user_id=self.u1.user_id)

        assert u1_auth.permissions['global'] == set(['hg.create.repository', 'hg.fork.repository',

                              'hg.register.manual_activate',

                              'hg.extern_activate.auto',

                              'repository.read', 'group.read',

                              'usergroup.read',

    def test_inactive_user_group_does_not_affect_repo_permissions(self):

        self.ug1 = fixture.create_user_group('G1')

        user_group_model = UserGroupModel()

        user_group_model.add_user_to_group(self.ug1, self.u1)

        user_group_model.update(self.ug1, {'users_group_active': False})

        # note: make u2 repo owner rather than u1, because the owner always has

        # admin permissions

        self.test_repo = fixture.create_repo(name='myownrepo',

                                             repo_type='hg',

                                             cur_user=self.u2)